E-MailRelay
|
A thin interface to the system PAM library, with two pure virtual methods that derived classes should implement: the converse() method supplies passwords etc. More...
#include <gpam.h>
Classes | |
class | Error |
An exception class for G::Pam. More... | |
struct | Item |
A structure used by G::Pam to hold conversation items. More... | |
Public Types | |
using | ItemArray = std::vector< Item > |
Public Member Functions | |
Pam (const std::string &app, const std::string &user, bool silent) | |
Constructor. More... | |
virtual | ~Pam () |
Destructor. | |
bool | authenticate (bool require_token) |
Authenticates the user. More... | |
std::string | name () const |
Returns the authenticated user name. More... | |
void | checkAccount (bool require_token) |
Does "account management", checking that the authenticated user is currently allowed to use the system. More... | |
void | establishCredentials () |
Embues the authenticated user with their credentials, such as "tickets" in the form of environment variables etc. More... | |
void | openSession () |
Starts a session. More... | |
void | closeSession () |
Closes a session. More... | |
void | deleteCredentials () |
Deletes credentials. More... | |
void | reinitialiseCredentials () |
Reinitialises credentials. More... | |
void | refreshCredentials () |
Refreshes credentials. More... | |
virtual void | converse (ItemArray &)=0 |
Called to pass a message to the user, or request a password etc. More... | |
virtual void | delay (unsigned int usec)=0 |
Called when the pam library wants the application to introduce a delay to prevent brute-force attacks. More... | |
Pam (const Pam &)=delete | |
Pam (Pam &&)=delete | |
Pam & | operator= (const Pam &)=delete |
Pam & | operator= (Pam &&)=delete |
A thin interface to the system PAM library, with two pure virtual methods that derived classes should implement: the converse() method supplies passwords etc.
and delay() implements an optional anti-brute-force delay.
As per the PAM model the user code should authenticate(), then checkAccount(), then establishCredentials() and finally openSession().
Usage:
G::Pam::Pam | ( | const std::string & | app, |
const std::string & | user, | ||
bool | silent | ||
) |
Constructor.
Definition at line 355 of file gpam_linux.cpp.
bool G::Pam::authenticate | ( | bool | require_token | ) |
Authenticates the user.
Typically issues a challenge, such as password request, using the converse() callback.
Returns false if it needs to be called again because converse() did not fill in all the prompted values. Returns true if authenticated. Throws on error.
Definition at line 363 of file gpam_linux.cpp.
void G::Pam::checkAccount | ( | bool | require_token | ) |
Does "account management", checking that the authenticated user is currently allowed to use the system.
Definition at line 370 of file gpam_linux.cpp.
void G::Pam::closeSession | ( | ) |
Closes a session.
Definition at line 394 of file gpam_linux.cpp.
|
pure virtual |
Called to pass a message to the user, or request a password etc.
Typically the array is a single password prompt. The password should then be put into the 'out' string and the boolean flag set.
For each item in the array which is a prompt the implementation is required to supply a response value.
In an event-driven environment the response values can be left unassigned, in which case the outer authenticate() call will return false. The authenticate() can then be called a second time once the requested information is available.
|
pure virtual |
Called when the pam library wants the application to introduce a delay to prevent brute-force attacks.
The parameter may be zero.
Typically called from within authenticate(), ie. before authenticate returns.
A default implementation is provided (sic) that does a sleep.
In an event-driven application the implementation of this method should start a timer and avoid initiating any new authentication while the timer is running.
Definition at line 423 of file gpam_linux.cpp.
void G::Pam::deleteCredentials | ( | ) |
Deletes credentials.
Definition at line 402 of file gpam_linux.cpp.
void G::Pam::establishCredentials | ( | ) |
Embues the authenticated user with their credentials, such as "tickets" in the form of environment variables etc.
Definition at line 378 of file gpam_linux.cpp.
std::string G::Pam::name | ( | ) | const |
Returns the authenticated user name.
In principle this can be different from the requesting user name passed in the constructor.
Definition at line 439 of file gpam_linux.cpp.
void G::Pam::openSession | ( | ) |
Starts a session.
Definition at line 386 of file gpam_linux.cpp.
void G::Pam::refreshCredentials | ( | ) |
Refreshes credentials.
Definition at line 416 of file gpam_linux.cpp.
void G::Pam::reinitialiseCredentials | ( | ) |
Reinitialises credentials.
Definition at line 409 of file gpam_linux.cpp.